[MS-BKRP] backupkey server and GnuTLS
Andrew Bartlett
abartlet at samba.org
Thu Nov 26 22:44:41 UTC 2015
On Thu, 2015-11-26 at 16:55 +0100, Andreas Schneider wrote:
> On Friday 20 November 2015 10:44:04 Andrew Bartlett wrote:
> > > So I hope you can explain the testing procedures you used ...
> >
> > This is what we did (we used libvirt snapshot VMs):
> >
> > - Take a Dec 2014 patched Windows 8.1 machine that has never, ever
> > been
> > joined to the domain
> >
> > - Join to the domain
> >
> > - Log in as administrator
> >
> > - Open Credentials Manager (part of control panel, can be searched
> > for)
> >
> > - If it gives an error, then there is an issue, if it opens
> > correctly
> > you are OK.
>
> Hi Andrew,
>
> I've tested with Windows 8.1 and fixed the remaining bugs. After I
> identified
> the remaining issues, I've improved the torture test. It doesn't only
> validate
> the RSA key bits but also the rest of the cert. I run the test
> against Windows
> 2012 to fine tune it.
>
> You can find the patchset for review here:
>
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master
> -rpc-bkrp
>
> That we are completely using GnuTLS you need version 3.4.7. This
> version
> offers gnutls_x509_crt_set_issuer_unique_id(). I check for this
> symbol and if
> found we only build the backupkey server using GnuTLS. If not the
> certificate
> self signing part still uses Heimdal.
>
> The top commit is an additional torture test which only works against
> Windows
> and backupkey built with GnuTLS 3.4.7.
>
> Attached shows that Windows 8.1 Credentials Manager is working.
>
>
> Please review and push!
Garming was looking carefully over the code yesterday when he was in
the office, so I'll ask him to finish that and get you his
reviews/comments on Monday.
Thanks for all your hard efforts here. Removing the dependency on
Heimdal is a critical step for Samba as an AD DC, and this is really
important work. It is also really complex, sensitive code that has
caused issues in the past, so while I know it is frustrating I would
kindly ask you to wait for Garming's review.
I really appreciate that you not only fixed the issues against Windows,
but extended the testsuite to match.
Thanks!
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list